Skip to content
This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

openssl: disable HEARTBEAT TLS extension

Microsoft's IIS doesn't support it, and is not replying with ServerHello
after receiving ClientHello which contains it.

The good way might be allowing to opt-out this at runtime from
javascript-land, but unfortunately OpenSSL doesn't support it right now.

see #5119
  • Loading branch information
indutny committed Mar 26, 2013
1 parent f0b6889 commit 28c6e42ee761b1c55cafd188aa49a174963d43df
Showing with 7 additions and 1 deletion.
  1. +7 −1 deps/openssl/openssl.gyp
@@ -16,7 +16,13 @@
# No clue what these are for.

This comment has been minimized.

Copy link
@nitriques

nitriques Apr 11, 2014

I like this line a lot.

'L_ENDIAN',
'PURIFY',
'_REENTRANT'
'_REENTRANT',

# Heartbeat is a TLS extension, that couldn't be turned off or
# asked to be not advertised. Unfortunately this is unacceptable for
# Microsoft's IIS, which seems to be ignoring whole ClientHello after
# seeing this extension.
'OPENSSL_NO_HEARTBEATS',

This comment has been minimized.

Copy link
@JacksonGariety

JacksonGariety May 15, 2014

"I will always want you..."

],
'sources': [
'openssl/ssl/bio_ssl.c',

44 comments on commit 28c6e42

@mathiasbynens

This comment has been minimized.

Copy link

mathiasbynens replied Apr 8, 2014

Unintentional security features, episode 42.

@mikeal

This comment has been minimized.

Copy link

mikeal replied Apr 8, 2014

hahaha, best accidental security fix ever :)

@danielchatfield

This comment has been minimized.

Copy link

danielchatfield replied Apr 8, 2014

👍

@forki

This comment has been minimized.

Copy link

forki replied Apr 8, 2014

❤️

@joemccann

This comment has been minimized.

Copy link

joemccann replied Apr 8, 2014

Random acts of brilliance™

@jefperito

This comment has been minimized.

Copy link

jefperito replied Apr 8, 2014

Random acts of brilliance™[2]

@bevacqua

This comment has been minimized.

Copy link

bevacqua replied Apr 8, 2014

\o/

@Ephemera

This comment has been minimized.

Copy link

Ephemera replied Apr 9, 2014

👏

@jpillora

This comment has been minimized.

Copy link

jpillora replied Apr 9, 2014

opt-out ftw

@bluemir

This comment has been minimized.

Copy link

bluemir replied Apr 9, 2014

good!👍

@guileen

This comment has been minimized.

Copy link

guileen replied Apr 9, 2014

👍

@gougou851129

This comment has been minimized.

Copy link

gougou851129 replied Apr 9, 2014

Behind had luck comes good luck.

@nickleefly

This comment has been minimized.

Copy link

nickleefly replied Apr 9, 2014

❤️ kudos to node

@be5invis

This comment has been minimized.

Copy link

be5invis replied Apr 9, 2014

毒德大学
Sick! Uber! Classic! Masterpiece!

@dg-jacquard

This comment has been minimized.

Copy link

dg-jacquard replied Apr 9, 2014

good!

hackers gonna hack

@suroorwijdan

This comment has been minimized.

Copy link

suroorwijdan replied Apr 9, 2014

this is awesome!

@lkuczera

This comment has been minimized.

Copy link

lkuczera replied Apr 9, 2014

👍

@leecade

This comment has been minimized.

Copy link

leecade replied Apr 9, 2014

💯

@stash

This comment has been minimized.

Copy link

stash replied Apr 9, 2014

👏

@stuartpb

This comment has been minimized.

Copy link

stuartpb replied Apr 10, 2014

As I pointed out in the mailing list, this is mostly dumb luck, but not entirely, since the bug that led to this change was a symptom of the same problem that allowed Heartbleed to happen (heartbeats being an obscure code path not receiving sufficient bug auditing).

@mstksg

This comment has been minimized.

Copy link

mstksg replied Apr 10, 2014

slow clap

@rafaelrinaldi

This comment has been minimized.

Copy link

rafaelrinaldi replied Apr 10, 2014

@stevepotayteo

This comment has been minimized.

Copy link

stevepotayteo replied Apr 10, 2014

+1

@GauthierD-

This comment has been minimized.

Copy link

GauthierD- replied Apr 10, 2014

👏 ❤️

@MarcDiethelm

This comment has been minimized.

Copy link

MarcDiethelm replied Apr 10, 2014

I was hoping for some insight in these comments not for a stream of juvenile and useless low-effort comments. I'm happy, you're happy, we're all happy that Node is not affected. Ok, now do something productive.

@Atinux

This comment has been minimized.

Copy link

Atinux replied Apr 10, 2014

👍

@Fishrock123

This comment has been minimized.

Copy link
Member

Fishrock123 replied Apr 10, 2014

I find it somewhat amusing that Microsoft's software not liking something forced us to turn off a feature that otherwise contains probably the largest software security vulnerability to date.

@Overruler

This comment has been minimized.

Copy link

Overruler replied Apr 10, 2014

You got lucky with 'OPENSSL_NO_HEARTBEATS', now let's hope you got equally lucky with 'L_ENDIAN', 'PURIFY' and '_REENTRANT'.

@trevormcleod

This comment has been minimized.

Copy link

trevormcleod replied Apr 10, 2014

Haha. Awesome.

@Arcko

This comment has been minimized.

Copy link

Arcko replied Apr 11, 2014

+1

@Nevraeka

This comment has been minimized.

Copy link

Nevraeka replied Apr 11, 2014

lol...
a-team-t-shirt-hannibal-a-plan-comes-together
🍻

@cecilemuller

This comment has been minimized.

Copy link

cecilemuller replied Apr 11, 2014

Slow clap indeed xD

@scien

This comment has been minimized.

Copy link

scien replied Apr 11, 2014

+1

@smarzola

This comment has been minimized.

Copy link

smarzola replied Apr 11, 2014

+1

@julianduque

This comment has been minimized.

Copy link
Member

julianduque replied Apr 12, 2014

<3 Epic!

@sureshg

This comment has been minimized.

Copy link

sureshg replied Apr 12, 2014

👏

@hemanth

This comment has been minimized.

Copy link
Member

hemanth replied Apr 12, 2014

@dortzur

This comment has been minimized.

Copy link

dortzur replied Apr 14, 2014

Node is awesome even unintentionally 👍

@leeight

This comment has been minimized.

Copy link

leeight replied Apr 14, 2014

:-)

@joshuakfarrar

This comment has been minimized.

Copy link

joshuakfarrar replied Apr 15, 2014

+1 nice.

@LeslieZhu

This comment has been minimized.

Copy link

LeslieZhu replied Apr 15, 2014

great

@vittee

This comment has been minimized.

Copy link

vittee replied Apr 23, 2014

+1

@jimmiehansson

This comment has been minimized.

Copy link

jimmiehansson replied May 3, 2014

haha awesome

@mykiimike

This comment has been minimized.

Copy link

mykiimike replied Jun 21, 2014

haha perfect !

Please sign in to comment.
You can’t perform that action at this time.